Pluggable authentication models (PAM) allow you to configure your Linux environment with the level of security you deem necessary. This chapter from Linux System Security describes PAM and its configuration, looks at some available PAM models, and discusses several examples of PAM in use.

Pluggable Authentication Modules

Although pluggable authentication modules (PAM) cannot protect your
system after it has been compromised, it can certainly help prevent the
compromise to begin with. It does this through a highly configurable
authentication scheme. For example, conventionally UNIX users authenticate
themselves by supplying a password at the password prompt after they have typed
in their username at the login prompt. In many circumstances, such as
internal access to workstations, this simple form of authentication is
considered sufficient. In other cases, more information is warranted. If a user
wants to log in to an internal system from an external source, like the
Internet, more or alternative information may be requiredperhaps a
one-time password. PAM provides this type of capability and much more. Most
important, PAM modules allow you to configure your environment with the
necessary level of security.

This chapter describes the use of pluggable authentication modules for Linux
(Linux-PAM or just PAM1),
as distributed with Red Hat 5.2/6.0, which provides a lot of authentication,
logging, and session management flexibility. We generally describe PAM and its
configuration, take a look at many of the available PAM modules,2
and consider a number of examples.

Most recent Linux distributions include PAM. If your version does not,
check out the web site:

There you will find source code and documentation. It is well worth the
effort to download, compile, and integrate PAM into your system.

PAM provides a centralized mechanism for authenticating all services. It
applies to login, remote logins (telnet and rlogin or
rsh), ftp, Point-to-Point Protocol (PPP), and su, among
others. It allows for limits on access of applications, limits of user access to
specific time periods, alternate authentication methods, additional logging, and
much more. In fact, PAM may be used for any Linux application! Cool! Let's
see how it works.